Pass the CREST Practitioner CPTIA Questions and answers with ValidTests

Internal intelligence feeds are derived from data and information collected within an organization's own networks and systems. Jian's activities, such as real-time assessment of system activities and acquiring feeds from honeynets, P2P monitoring, infrastructure, and application logs, fall under the collection of internal intelligence feeds. These feeds are crucial for identifying potential threats and vulnerabilities within the organization and form a fundamental part of a comprehensive threat intelligence program. They contrast with external intelligence feeds, which are sourced from outside the organization and include information on broader cyber threats, trends, and TTPs of threat actors.References:

"Building an Intelligence-Led Security Program" by Allan Liska

"Threat Intelligence: Collecting, Analysing, Evaluating" by M-K. Lee, L. Healey, and P. A. Porras

Whaling is a specific type of phishing attack that targets high-profile executives or individuals within an organization, often with the intent to steal sensitive information or gain access to their accounts for financial fraud. The term "whaling" is used because it targets the "big fish" of an organization. Given that Sam identified the targets of the attack as high-profile executives, the described scenario is indicative of a whaling attack.

References:The CREST CPTIA curriculum includes a section on different types of phishing attacks, including whaling, emphasizing the strategies attackers use to target individuals based on their roles within an organization.

Email-bombing refers to the attack where the attacker sends a massive volume of emails to a specific email address or mail server in order to overflow the mailbox or overwhelm the server, potentially causing it to fail or deny service to legitimate users. This attack can disrupt communications and, in some cases, lead to the targeted email account being disabled. Masquerading involves pretending to be another legitimate user, spoofing is the creation of emails (or other communications) with a forged sender address, and a smurf attack is a specific type of Distributed Denial of Service (DDoS) attack that exploits Internet Protocol (IP) and Internet Control Message Protocol (ICMP) to flood a target with traffic. Email-bombing specifically targets email services with the goal of causing disruption by overflowing inboxes.References:CREST CPTIA courses and study guides often include discussions on various attack vectors used by cybercriminals, including email-based threats and their impact on organizational security.

A zero-day attack exploits vulnerabilities in software or hardware that are unknown to the vendor or for which a patch has not yet been released. These attacks are particularly dangerous because they take advantage of the window of time between the vulnerability's discovery and the availability of a fix, leaving systems exposed to potential exploitation. Zero-day attacks require a proactive and comprehensive approach to security, including the use of advanced threat detection systems and threat intelligence to identify and mitigate potential threats before they can be exploited.References:

"Understanding Zero-Day Exploits," by MITRE

"Zero-Day Threats: What They Are and How to Protect Against Them," by Symantec

Employee monitoring tools are primarily used by employers to detect and prevent malicious insider threats. These tools can track activities such as data access, data exfiltration attempts, unauthorized actions, and other behaviors that could indicate malicious intent or pose a risk to the organization's security. While such tools may also incidentally uncover issues like lost registry keys, conspiracies, or stolen credentials, their main purpose is to safeguard against insiders who might misuse their access to harm the organization, steal data, sabotage systems, or engage in espionage.References:CREST CPTIA study materials cover various security measures and tools that organizations can use to protect against insider threats, emphasizing the role of monitoring in detecting and responding to malicious activities by insiders.

The statement "Do not download or execute applications from trusted sources" is incorrect and not considered a good practice for maintaining information security and eradicating malware incidents. In contrast, downloading or executing applications from trusted sources is a fundamental security best practice. Trusted sources are vetted and are generally considered safe for downloading software, updates, and applications. This practice helps to minimize the risk of introducing malware into the organizational environment. The other options (A, B, C) represent good practices that help in reducing the likelihood of malware infections by avoiding potentially harmful actions.

References:The CREST CPTIA materials from EC-Council provide guidance on best practices for malware prevention and response, underscoring the importance of relyingon trusted sources for software and application downloads as part of a robust information security strategy.

Threat Grid is a threat intelligence and analysis platform that offers advanced capabilities for automatic data collection, filtering, and analysis. It is designed to help organizations convert raw threat data into meaningful, actionable intelligence. By employing advanced analytics and machine learning, Threat Grid can reduce noise from large data sets, helping to eliminate misrepresentations and enhance the quality of the threat intelligence. This makes it an ideal choice for Tim, who is looking to address the challenges of converting raw data into contextual information and managing the noise from massive data collections.References:

"Cisco Threat Grid: Unify Your Threat Defense," Cisco

"Integrating and Automating Threat Intelligence," by Threat Grid

URL encoding, also known as percent-encoding, is a mechanism for encoding information in a Uniform Resource Identifier (URI) under certain circumstances. This technique involves replacing unsafe ASCII characters with a "%" followed by two hexadecimal digits that represent the character's ASCII code. This is necessary for embedding characters that are not allowed in URLs directly, such as spaces and symbols, or characters that have special meanings within URLs, ensuring that the URL is correctly interpreted by web browsers and servers.

References:The concept of URL encoding is fundamental to web application security, a topic that is covered in the CREST CPTIA program by EC-Council. Understanding encoding techniques is crucial for incident handlers dealing with web-based attacks and investigations.

In the cyber kill chain methodology, the phase where Jame is creating a tailored malicious deliverable that includes an exploit and a backdoor is known as 'Weaponization'. During this phase, the attacker prepares by coupling a payload, such as a virus or worm, with an exploit into a deliverable format, intending to compromise the target's system. This step follows the initial 'Reconnaissance' phase, where the attacker gathers information on the target, and precedes the 'Delivery' phase, where the weaponized bundle is transmitted to the target. Weaponization involves the preparation of the malware to exploit the identified vulnerabilities in the target system.References:

Lockheed Martin's Cyber Kill Chain framework

"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains," leading to the development of the Cyber Kill Chain framework

Phishing emails often share common characteristics designed to manipulate the recipient into taking immediate action. One of the hallmark features is the use of urgency, threatening language, or promising subject lines in the emails. These tactics are intended to create a sense of urgency or fear, compelling the recipient to respond quickly without giving due consideration to the legitimacy of the email. Phishing emails may claim that the recipient's account has been compromised, that they need to confirm personal information immediately, or that they have won a prize. The goal is to trick the recipient into clicking on malicious links, opening attachments, or providing sensitive information.

References:The Certified Incident Handler (CREST CPTIA) program by EC-Council covers the identification and handling of phishing incidents, including the analysis of phishing emails and the importance of educating users on recognizing and responding to phishing attempts.